The attack campaign, dubbed DarkVishnya - dark cherry - has targeted at least eight Eastern European banks, says Sergey Golovanov, a principal security researcher at Moscow-based endpoint security firm Kaspersky Lab, which was called in to investigate the thefts.

"Each attack had a common springboard: an unknown device directly connected to the company's local network," he says in a blog post. "In some cases, it was the central office, in others a regional office, sometimes located in another country."

Catch Me If You Can

Golovanov says that the attack campaign began in 2017 and has continued throughout this year. In all of the attacks, he says the attackers have made use of one of these types of computing devices:

Inexpensive portables: Low-cost laptops and netbooks;

Raspberry Pi: A credit-card-sized computer that costs $35 and up;

Bash Bunny: A $100 USB stick designed for penetration testers and systems administrators that manufacturer Hak5 bills as being "a simple and powerful multifunction USB attack and automation platform"

Golovanov says the choice of device appeared to be tied to an attacker's ability and, no doubt, simply preferences. Once connected to a targeted LAN, attackers gained remote access by using a built-in or USB-connected LTE, GPRS or 3G modem.

Kaspersky Lab warns that "high-tech tables with sockets are great for planting hidden devices."

Three Attack Stages

Physical access: Attackers, potentially posing as couriers or job seekers, entered a facility and looked for a place to connect their device, often in a meeting room. "Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion," Golovanov says.

Remote reconnaissance: With the device in place, attackers would remotely connect to the hidden device and begin conducting reconnaissance, as well as brute-force sniffing for login data, to attempt to identify any workstations or servers involved in handling payments. To bypass internal firewall restrictions, "they planted shellcodes with local TCP servers," Golovanov says. "If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels."

Remote login: Once attackers identified a system used to make payments, they worked to gain persistent remote access to the system and then remotely ran executable files.

Golovanov says the attackers' MO was to remotely install msfvenom, which is a stand-alone payload generator for Metasploit, an open source penetration testing toolkit.

"If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe, to run executable files remotely," he adds. All of those tools can provide administrators - or in this case, attackers - with the ability to remotely install and execute files.

Malicious Hardware Evolves

One tried-and-true attack against retail establishments, restaurants and hotels that use point-of-sale devices to read customers' payment cards involves a two-man crew entering a building. One attacker distracts an employee while the other swaps a legitimate payment card reader with a look-alike version that has a skimmer installed. The skimmer then begins keeping a copy of all cards that get swiped, for later retrieval, potentially remotely, by attackers.

Security researchers have also been demonstrating how hobbyist hardware might be put to use by crime gangs. At the 2014 Black Hat Europe conference in Amsterdam, for example, two security researchers showed how they were able to program a Raspberry Pi and connect it to the port of an ATM to bypass the ATM's own systems and instruct the machine's cash dispenser to spit out all of its money (see: Hacking ATMs: No Malware Required).

The DarkVishnya campaign shows that as small, powerful and relatively inexpensive computing devices proliferate, and cost little enough that they can be treated as disposable, hackers will find innovate new ways to use them.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.